The Silver Lining of Sharing Data on Cyber-Risks

Scott L. Vernick was quoted in the Compliance Week article, “The Silver Lining of Sharing Data on Cyber-Risks.” Full text can be found in the January 20, 2016, issue, but a synopsis is below.

In December, President Obama signed the Cyber-Security Information Sharing Act into law, creating a voluntary data sharing pipeline for cyber risks between companies and the government.

While the new protocol offers safe harbors to help quell fears of violating antitrust laws, regulatory enforcement actions and legal liabilities, there has been pushback from some companies already.

“Setting aside the privacy debate that will continue to unfold, companies may nevertheless find no shortage of utility from data sharing,” says Scott L. Vernick, a noted privacy attorney.

While there is a segment of businesses that may be unhappy because they think there aren’t enough safeguards attached to the legislation and another segment may think it doesn’t go far enough, Vernick says, there are some items that businesses are likely to commend.

“Assuming that you produce the information and turn it over in accordance with the statute, you do have safe harbor and protection from civil liability,” Vernick says.

“People are glad that some legislation for information sharing with liability protection has finally been passed because it has been kicking around for so long,” he added.

There is also no “good faith” requirement under the legislation, which is good news from a business perspective. “There could have been some sort of challenge that somebody acted in bad faith even if, technically, they acted properly,” Vernick says. “A good faith standard isn’t in there, so you don’t have that messy analysis to worry about. It is just an objective compliance standard or compliance test.”

The legislation also protects companies from civil, regulatory and antitrust liability. “That’s good,” according to Vernick, “but there is no express protection from gross negligence or willful misconduct. That’s something that businesses will have to be mindful of.”

Vernick finds benefit in the exemptions provided from Freedom of Information Act requests. “People can’t figure out or track what you are doing,” he says. The exemption also prevents the plaintiffs’ bar “from trolling and looking at what companies are doing, trying to find a ‘gotcha’ moment.”

“You don’t have to worry so much about the plaintiffs’ bar looking to see whether, for example, there has been a technical violation of the securities laws, or a technical violation of a privacy policy or something else they could learn by watching what a company is sharing or not sharing with the government.” Vernick says.

Executives must also ensure they do not turn over anything unrelated to the threat data. The bright side, according to Vernick, “is that as long as you don’t have personal knowledge of turning over something unrelated to the data you are probably going to be OK.”

The Department of Homeland Security will serve as the central collection unit for submitted information through its National Cyber-Security and Communications Integration Center and will be charged with implementing an automated system to forward information to other federal agencies.

“That has some people nervous because it puts a lot of sensitive information in the hands of government to use for a lot of different reasons and they didn’t have to get it with a subpoena or warrant,” Vernick says.